The Mastodon "Remote follow" feature could be so easily used to phish the average Mastodon user into signing into a fake instance.
⚠️ Important security reminder: Always make sure the URL shows your "home instance" when logging in.
@fj Isn't this an area where customizing the way Mastodon looks based on a per-user cookie (something the fake site can't see) would help?
@fj you're never prompted to log in though, well at least not if you're already logged in.
Pro tip to get around it, copy paste URL of profile into the search field to find the person you want to follow.
@fj this is what password managers excel at. They won't fill in a password on a different instance (or any phishing site) and you can't enter a password because you don't know it.
@fj Keen thought sir, thanks for the reminder. Even then, don't trust urls — manually type them.
@fj and turn on 2FA
@fj Better yet – don't use the "remote follow" flow. It's faster to paste the URL into the search bar on your home instance anyway.
@fj also avoid buying domains to run instances here containing the letter l since, l's look like 1s (ones), you may be fishy fishied
@fj Tell that to people who defends Unicode in URLs
@fj If you want to follow someone, or boost something you only have a direct link on their instance to, you can just paste the URL into the search field in your instance and the right thing will happen 🙂
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!